SpringOne Platform 2017
Peter Blum, Pivotal; Scott Frederick, Pivotal
From the platform all the way down to the microservices which run upon it, secrets are everywhere and leaking them can be a costly experience. Understanding security best practices, such as encrypting secrets while in transit; encrypting secrets at rest; rotating secrets regularly; preventing secrets from unintentionally leaking when consumed by the final application; and strictly adhering to the principle of least-privilege, where an application only has access to the secrets that it needs—no more, no less.....can be daunting. A new Cloud Foundry Foundation project, CredHub, was designed for these reasons. This session will take a fresh look at how to enhance security within Cloud Foundry and applications through secret management by utilizing CredHub in conjunction with Spring Cloud Services.
4. Configuring Credentials
4
Verizon: Phone numbers,
names and pin codes of of
six million customers were
left unsecured online for
nine days.
Accenture: Inadvertently left
a massive store of private
data across four unsecured
cloud servers, exposing highly
sensitive passwords and secret
decryption keys.
Equifax: Website
Secured By The Worst
Username And
Password Possible -
`admin`, `admin`
Viacom: Owners of
Paramount Pictures, Comedy
Central, MTV, and hundreds
of other properties—has
exposed the keys to its
kingdom on an unsecured
Amazon S3 server.
5. Leaked Credentials
5
Uber: Breach occurred when hackers
discovered that the company's
developers had published code that
included their usernames and
passwords on a private account of
the software repository Github.
OneLogin
breached: Hacker
finds cleartext
credential
notepads
Deloitte is a
sitting duck:
VPN and proxy
'login details
leaked
6. Using Credentials
6
Equifax: Hackers
roamed its systems
undetected from
mid-May through late
July 2017, accessing
files on nearly half
the U.S. population.
14 Years to Discover
Data Breach:
Tewksbury Hospital in
Massachusetts, where a
clerk inappropriately
accessed the records
of more than 1,000
patients between 2003
and 2017
Compromised Data goes undetected
for days:
According to the latest Protenus
Breach Barometer It took an
average of 441 days for
organizations to find out a breach
occurred.
7. Central point for Credential:
- Generation
- Storage
- Rotation
- Logging
- Access Control
Goals
7
TimeCredential Config Credential Leaks TimeCredential Config Credential Leaks
11. Credential Types
value - a simple string, used for configuration and other non-generated properties
password - a simple string, used for generated secrets
user - username and password pair
json - a JSON object
certificate - an object containing a root CA, certificate and private key
rsa - an object containing an RSA public key and private key
ssh - an object containing an SSH-formatted public key and private key
11
http://docs.cloudfoundry.org/credhub/credential-types.html
12. REST API
- Secured via Mutual TLS, and/or OAuth2 with UAA
- Get/Set/Generate/Delete Credential
- Get/Add/Delete Permission
- Interpolate VCAP_SERVICES
https://credhub-api.cfapps.io
12
13. Java mapping to CredHub REST API
● supports all credential types and operations
Spring Boot auto-configuration support
Apps deployed to CF with Java Buildpack automatically negotiate mutual TLS
1.0.0.RELEASE coming soon
13
16. $ bosh -e pcf -d pcf manifest
BOSH Benefits
16
Simplified Deployment
Manifests
vs
Relax Access to BOSH
Director
Enables Sharing of
Deployment Manifests&
$ bosh -e pcf -d pcf manifest
vs
25. Diego Cell
Diego
Assisted Credential Resolution
CredHub
25
App
cf push
create env
POST /interpolate
VCAP_SERVICES
Cloud
Controller
V##P_#####
VCAP_SERVICESV##P_#####
26. Application Benefits of Using CredHub
Cloud Controller database (encrypted)
Cloud Controller REST API responses
● /v2/apps/:guid/env
● /v2/service_bindings/:guid
Staged application droplets
cf ssh
26
Assisted Mode
27. Non-Assisted Credential Resolution
27
Spring applications using Spring Cloud Connectors or Spring
Boot ${vcap.service.} properties will have framework
support to automate resolution
CredHub
POST /interpolate
VCAP_SERVICES
V##P_#####
Diego Cell
Diego
App
cf push
create env
Cloud
Controller VCAP_SERVICESV##P_#####
29. Availability
CredHub bits are included in
cf-deployment since version v0.36.0
Deployment manifest customization
required to enable secure service
binding credentials workflow
Starting in Pivotal CF 2.0
● Secure service binding credentials
support can be enabled or disabled
in PAS tile configuration
● Assisted mode only
29
Service brokers will be updated to support secure
binding credentials on their own release schedules
30. Learn More. Stay Connected.
How to Build Spring Services for Cloud-Native Platforms
Using the Open Service Broker API
Matthew McNeeney, Sam Gunaratne
Thursday 12:30 room 2004
30
#springone@s1p
31. STOP! Download Fonts Now
PLEASE DOWNLOAD AND INSTALL PROXIMA NOVA FONTS BEFORE CREATING
YOUR PRESENTATION. You can download the fonts here…
https://brandfolder.com/pivotal Password: keepitsimple
Fonts included in the ZIP file:
Proxima Nova (headline and body text)
http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-mac
http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-windows-
pc
31
32. Body Slide - Dark Background
All body text is Proxima Nova Regular
• Subhead (18pt)
• Level Two (18pt)
• Level Three (18pt)
• Level Four (18pt)
Use the “Decrease/Increase Indent”
tools to change bullet levels
• Click on the Home ribbon, Paragraph tab
Line spacing is set in master slides
32
33. Two Columns – Dark Background
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus
et magnis dis parturient montes,
nascetur ridiculus mus. Donec quam
felis, ultricies nec, pellentesque
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus et
magnis dis parturient montes, nascetur
ridiculus mus. Donec quam felis,
ultricies nec, pellentesque
33
34. Two Columns – Light Background
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus
et magnis dis parturient montes,
nascetur ridiculus mus. Donec quam
felis, ultricies nec, pellentesque
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus et
magnis dis parturient montes, nascetur
ridiculus mus. Donec quam felis,
ultricies nec, pellentesque
34
37. Code Slide
37
// This is Andale Mono: 14pt or higher please
public class TransferServiceImpl implements TransferService {
public TransferServiceImpl(AccountRepository ar) {
this.accountRepository = ar;
}
…
}
38. Pivotal Logos on Dark Background
38
Looking for more Pivotal logos, PCF services icons, or OSS logos?
Visit: brandfolder.com/pivotal-assets
39. Pivotal Logos on Light Background
39
Looking for more Pivotal logos, PCF services icons, or OSS logos?
Visit: brandfolder.com/pivotal-assets
41. Spring Logo and Project Icons
41
Spring
Framewor
k
Spring
Securit
y
Sprin
g
Data
Sprin
g
Batch
Spring
Integratio
n
Project
Reacto
r
Sprin
g
AMQ
P
Spring
Hateoas
Spring
Mobil
e
Spring
Androi
d
Sprin
g
Social
Spring
Web
Services
Spring
Web
Flow
Sprin
g
XD
Sprin
g
Boot
Sprin
g
LDAP
Spring
Tool Suite
Spring
Cloud
Data Flow
Spring
Kafka
Spring
Cloud